home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.sys.sgi
- Path: sparky!uunet!ornl!utkcs2!darwin.sura.net!spool.mu.edu!sgiblab!sgigate!sgi!rhyolite!vjs
- From: vjs@rhyolite.wpd.sgi.com (Vernon Schryver)
- Subject: Re: restricing root logins
- Message-ID: <s6mae5g@rhyolite.wpd.sgi.com>
- Organization: Silicon Graphics, Inc. Mountain View, CA
- References: <1992Nov10.000731.2740@alias.com> <1992Nov10.134956.525@epas.toronto.edu>
- Date: Tue, 10 Nov 1992 17:06:36 GMT
- Lines: 27
-
- In article <1992Nov10.134956.525@epas.toronto.edu>, adam@epas.utoronto.ca (Adam Iles) writes:
- > In article <1992Nov10.000731.2740@alias.com> chk@alias.com (C. Harald Koch) writes:
- > >Is it possible to restrict root logins to certain ttys? Right now, anyone can
- > >login as root on any terminal line attached to our machines (including modems).
- > >We want to be able to restrict this, so that root logins are allowed only on
- > >"secure" terminals, i.e. those in the computer room. For other lines, we want
- > >people to login as themselves and then su, so we have at least some idea who
- > >became root.
- > >
- > >BSD Un*x had a configuration file listing "secure ttys"; is there an IRIX
- > >equivalent?
- >
- > If you are willing to give root or restricted accounts a special shell
- > (which could be a symbolic link to a standard shell) you could create
- > /etc/dialups and /etc/d_passwd files to put an invalid password on all
- > the "unsecure ttys." The information on these files is in the login(1)
- > man page.
-
-
- That's an interesting idea, and better than my first thought, which
- is to do a little testing of `tty` in /.cshrc or /.login.
-
- Unfortunately, neither solution keeps someone on a different tty
- from using `su`.
-
-
- Vernon Schryver, vjs@sgi.com
-
